From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/3] vpnmain.cgi: Add option to regenerate the host certificate Date: Tue, 30 Jan 2024 17:45:44 +0000 Message-ID: <20240130174544.3986725-3-michael.tremer@ipfire.org> In-Reply-To: <20240130174544.3986725-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4018723726994448922==" List-Id: --===============4018723726994448922== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed. A caveat of this patch is that we do not rollover the key. Signed-off-by: Michael Tremer --- config/ssl/openssl.cnf | 1 + doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++ html/cgi-bin/vpnmain.cgi | 54 +++++++++++++++++++++++++++++++++++++++- langs/en/cgi-bin/en.pl | 1 + 13 files changed, 72 insertions(+), 1 deletion(-) diff --git a/config/ssl/openssl.cnf b/config/ssl/openssl.cnf index 3b980fcd4..00c206ed8 100644 --- a/config/ssl/openssl.cnf +++ b/config/ssl/openssl.cnf @@ -23,6 +23,7 @@ default_md =3D sha256 preserve =3D no policy =3D policy_match email_in_dn =3D no +copy_extensions =3D copyall =20 [ policy_match ] countryName =3D optional diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..fa0705e74 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -933,6 +933,7 @@ WARNING: untranslated string: netbios nameserver daemon = =3D NetBIOS Nameserver Dae WARNING: untranslated string: no entries =3D No entries at the moment. WARNING: untranslated string: optional =3D Optional WARNING: untranslated string: pakfire invalid tree =3D Invalid repository se= lected +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required =3D Required diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..88e66346b 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1578,6 +1578,7 @@ WARNING: untranslated string: red1 =3D RED WARNING: untranslated string: references =3D References WARNING: untranslated string: refresh =3D Refresh WARNING: untranslated string: refresh index page while connected =3D Refresh= index.cgi page while connected +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..ab6b5a1e9 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -995,6 +995,7 @@ WARNING: untranslated string: no data =3D unknown string WARNING: untranslated string: openvpn cert expires soon =3D Expires Soon WARNING: untranslated string: openvpn cert has expired =3D Expired WARNING: untranslated string: pakfire ago =3D ago. +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed =3D unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..e6781362f 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -948,6 +948,7 @@ WARNING: untranslated string: guardian logtarget_syslog = =3D unknown string WARNING: untranslated string: guardian no entries =3D unknown string WARNING: untranslated string: guardian service =3D unknown string WARNING: untranslated string: pakfire ago =3D ago. +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: route config changed =3D unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..b21f15062 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1215,6 +1215,7 @@ WARNING: untranslated string: rdns =3D rDNS WARNING: untranslated string: reboot fsck =3D Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..668df4fc3 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1237,6 +1237,7 @@ WARNING: untranslated string: ptr =3D PTR WARNING: untranslated string: rdns =3D rDNS WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: required =3D Required diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..f4a29cb84 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1418,6 +1418,7 @@ WARNING: untranslated string: reboot fsck =3D Reboot & = run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received WARNING: untranslated string: red1 =3D RED +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..4eface69a 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1413,6 +1413,7 @@ WARNING: untranslated string: reboot fsck =3D Reboot & = run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received WARNING: untranslated string: red1 =3D RED +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..d5f321dd8 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1125,6 +1125,7 @@ WARNING: untranslated string: ptr =3D PTR WARNING: untranslated string: reboot fsck =3D Reboot & run ‘fsck’ WARNING: untranslated string: rebooting ipfire fsck =3D Rebooting IPFire, fo= rcing filesystem check WARNING: untranslated string: received =3D Received +WARNING: untranslated string: regenerate host certificate =3D Renew Host Cer= tificate WARNING: untranslated string: reiserfs warning1 =3D Reiserfs is deprecated a= nd scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 =3D Ensure a fresh installat= ion is made using either ext4 or xfs filesystems before that date. WARNING: untranslated string: release =3D Release diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..2b70ef9f9 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -73,6 +73,7 @@ < optional < quick control < random number generator daemon +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -117,6 +118,7 @@ < invalid ip or hostname < openvpn cert expires soon < openvpn cert has expired +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < service boot setting unavailable @@ -138,6 +140,7 @@ < extrahd not mounted < g.dtm < g.lite +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -523,6 +526,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -1063,6 +1067,7 @@ < rdns < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < required @@ -1943,6 +1948,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -2934,6 +2940,7 @@ < rebooting ipfire fsck < received < red1 +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release @@ -3405,6 +3412,7 @@ < reboot fsck < rebooting ipfire fsck < received +< regenerate host certificate < reiserfs warning1 < reiserfs warning2 < release diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index d82e6b5c9..9173a85d8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -866,6 +866,12 @@ END exit(0); } ### +### Regenerate the host certificate +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'regenerate host certificate'}) { + $errormessage =3D ®enerate_host_certificate(); + +### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'= } || @@ -3612,7 +3618,12 @@ END -   + +
+ + +
+ END ; } else { @@ -3782,3 +3793,44 @@ sub make_subnets($$) { =20 return join(",", @cidr_nets); } + +sub regenerate_host_certificate() { + my $errormessage =3D ""; + + &General::log("ipsec", "Regenerating host certificate..."); + + # Create a CSR based on the existing certificate + my $opt =3D " x509 -x509toreq -copy_extensions copyall"; + $opt .=3D " -signkey ${General::swroot}/certs/hostkey.pem"; + $opt .=3D " -in ${General::swroot}/certs/hostcert.pem"; + $opt .=3D " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage =3D &callssl($opt); + + # Revoke the old certificate + if (!$errormessage) { + &General::log("ipsec", "Revoking the old host cert..."); + + my $opt =3D " ca -revoke ${General::swroot}/certs/hostcert.pem"; + $errormessage =3D &callssl($opt); + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + my $opt =3D " ca -md sha256 -days 825"; + $opt .=3D " -batch -notext"; + $opt .=3D " -in ${General::swroot}/certs/hostreq.pem"; + $opt .=3D " -out ${General::swroot}/certs/hostcert.pem"; + $errormessage =3D &callssl ($opt); + + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + } + + # Reload the new certificate + if (!$errormessage) { + &General::system('/usr/local/bin/ipsecctrl', 'R'); + } + + return $errormessage; +} diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..5ac651e2f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2208,6 +2208,7 @@ 'refresh' =3D> 'Refresh', 'refresh index page while connected' =3D> 'Refresh index.cgi page while conn= ected', 'refresh update list' =3D> 'Refresh update list', +'regenerate host certificate' =3D> 'Renew Host Certificate', 'registered user rules' =3D> 'Talos VRT rules for registered users', 'reiserfs warning1' =3D> 'Reiserfs is deprecated and scheduled to be removed= from the kernel in 2025.', 'reiserfs warning2' =3D> 'Ensure a fresh installation is made using either e= xt4 or xfs filesystems before that date.', --=20 2.39.2 --===============4018723726994448922==--